Why GCs need to take a closer look at ‘Bring Your Own Device’ policies

You're a board member of a Fortune 500 company, and it's June of 2007. After a weekend marveling at your latest gadget, you bring your shiny new first-generation smartphone into the office and tell IT “I need my e-mail on this.” With that, you kick off one of the biggest paradigm shifts of the information age: The “Bring Your Own Device” (BYOD) revolution. Over the course of the last several years, the trend that started out on the iPads of the C-suite has found its way to the pockets of employees at every level. While BYOD has been maligned for its supposed risk, it's hard to deny the appeal of having a more connected workforce.

BYOD is any policy that allows workers to supply a platform that they connect to work through. While most typically associated with tablets and smartphones, the concept extends to PCs and laptops as well. The former has been available via remote access and VPN client for the better part of two decades. However, when talking in the context of today's office, BYOD most commonly refers to the use of mobile devices.

In fact, roughly 33 percent of companies currently have a BYO smartphone policy in place, and 47 percent have policies for tablets, according to a Gartner study released earlier this year. Other research offers estimates of as high as 50 percent adoption in the U.S., and those numbers are expected to continue to climb. Many companies are expected to migrate to an exclusively BYOD environment to cut back on cost in the near future. According to the same Gartner study, 38 percent of companies will no longer provide devices by 2016, at which point 40 percent are expected to continue with a hybrid option and only 15 percent will still have no BYOD solutions. Giving the option, to work from a personal device was also shown to improve employee satisfaction.

Risky business?

The convenience factor is not the first thing on the mind of legal departments. Rather, it's the nightmare of dropping an unlocked smartphone filled with highly sensitive information in a public place that is front of mind. While data security is always a concern when dealing with a device that is so easy to misplace, employee privacy, compliance and e-discovery also pose a new and as of yet undefined set of challenges for potential calamity.

Margaret Keane, a partner at DLA Piper with 25 years of experience as a litigator, has explored many of the legal challenges the connected workplace has generated.

“When you look at it, every aspect of the workforce is changing as a result of mobile devices and social media,” Keane explains. “The whole way you enter an organization has changed, and then once you're there… the way that training is delivered, the way you connect with other people and the way you have to do your non-competes has all changed as a result.”

One area people may not always think about when they're evaluating BYOD or any other strategy that enables employees to maintain consistent access with the workplace is wage and overtime conflicts Keane adds.

“If I’m answering four to five emails an hour and I need to access a database to get the answer and it takes me 20 minutes, you're getting into real issues with overtime if you have non-exempt employees using these devices,” Keane says.

While in the past, you may just not issue non-exempt employees hardware, in the post-BYOD workplace, denying them access via personal device could result in a loss of productivity if they're frequently on the road, but it could also blurry the line where overtime payments begin. Businesses have the option to provide employees with a company issued device, but then loses out on the cost saving that a BYOD plan offered.

Then there's the potential conflict that comes with an investigation. If and when e-discovery requires an employer to provide all relevant information, it would reasonably extend to the information housed on a workplace-connected device. But corner cases abound. Would information destroyed on employer servers, but stored locally on a personal device, be subject to discovery? Would the employer have an obligation to collect that device and produce it, even if it meant sacrificing the employee's sensitive personal information?

There is undoubtedly risk surrounding BYOD, but concocting a series of corner cases to dismiss it could mean the organization loses out on the benefits of a better-connected, more available workforce. The fact of the matter is, bring your own mobile device is no longer a bleeding-edge technology, it's inevitability. The good news is that the risks are well documented, and most if not all have technology or agreement strategies to circumvent them. So then why does BYOD still give enterprise executives cause for concern?

Sound foundations

Mark Chandler, senior vice president, general counsel, secretary and chief compliance officer of Cisco, has worked firsthand on developing technology solutions that enable BYOD and has also dealt with implanting BYOD policies internally at Cisco. He says that as far as whether or not to allow BYOD, “The ship has sailed, this is a reality in enterprise today, and so enterprise now has to manage it rather than deciding to reject it or embrace it.”

Many companies can claim to have been on the forefront of the BYOD revolution, but while most are talking about the speed with which they employed the technology, Cisco claims foundational roots in the architecture that actually allowed the technology to develop.

During the development process for the first iPhone, Apple and Cisco were tied up in litigation over the name “iPhone,” which was a Cisco trademark. Cisco didn’t ask for money in the settlement but was able to use the conversations to create a partnership with Apple.

With this Cisco became the one of the first third-party software components to be added to the iPhone operating system. “A Cisco VPN client was built into it directly. We were the only external feature built-in in that way. The reason for that was because of the sense that enterprise needed to be able to enable people to use their own devices,” Chandler says.

BYOD best practices

In response to the pervasive drum beat of risk and security so top of mind with BYOD, Chandler says it's all about how the information is exchanged and access to the server is managed.

“I think when you use VPN technology and require appropriate password protection, an iPad or Android table is no more or less secure than an enterprise computing device,” he explains. “What's required is for IT managers to ensure that there are preconditions before connecting to the network, so if you're bringing your own device, then you're using it in manner consistent with the protocol.”

So while BYOD still has its risks, legal departments should be able to mitigate them by holding IT accountable to the technology aspect, and holding those using the technology accountable to agreements that protect the company from any nefarious activity or lawsuit.

Mobile device management applications offer a host of solutions for the enterprise, including the ability to sequester sensitive information in more secure partitions within a personal device and remotely wipe that data in the event the device is lost.

On the people side, Keane says, “If the employer's smart, there's a BYOD agreement that dictates how all this will work, and it may be for instance on condition of getting $70 allowance for the device plan a month, you will produce it for inspection upon request, or you agree that should you terminate your employment, that the employer has the ability to do a remote wipe.”

When GCs are evaluating the BYOD option, key considerations include the degree to which data is deposited in a fully secure container application, whether there is sufficient ability to monitor all access, the need for ongoing review of access and remediation, and how to ensure that BYOD initiatives still follow overall company data security standards, according to Wanji Walcott, managing counsel of American Express.

“As a result, a pilot project (focused on certain high-level, trusted employee stakeholders), might be an appropriate way to begin to engage these kinds of issues,” Wolcott says.

Cisco's Chandler recommends that general counsel evaluating the risks around BYOD keep three things in mind: “The first is to embrace this because it will make the company more efficient, more effective and more profitable. Second, reach out and ensure that during document searches for discovery, custodians are asked to look at personal devices. Third, make sure that the IT department grants access to personal devices through the corporate network, only when property networks security has been implemented through things like VPN.”

Experts in the IT space seem to agree that risks associated with the BYOD environment can be mitigated with thoughtful management of services and people. While legal departments need to be aware of the potential risks they pose, their unique ability to reduce expenditures on devices and improve the connectivity of a workforce outweighs those concerns.